Confused with Access Data Sources Across Domains RRS feed

  • Question

  • Basically, we have a small .NET application working as a web server to save data locally and a website is storing/retriving data from that application. Since the website is hosted on the Internet and the .NET application is listening on localhost on a specific port, we need to communicate using CORS requests.

    From our understanding of the documentation, if we want to use CORS, we need to set the following security option to "Enable" (or "Prompt"):

       "Internet Options" / "Security" tab / Internet (or affected zone) / "Custom level..." / "Miscellaneous" / "Access data sources across domains"

    But, what I got is the opposite.
       Disable: All features of the website are working
       Prompt: All features of the website are working but we don't see any prompt (even for CORS requests)
       Enable: CORS features doesn't work

    So, if we put the website on our intranet and play with predefined security settings, all features works except if we set the settings to "Low" because it enable "Access data sources across domains". That make no sense.

    Also, when the setting is disable or prompt and we look at the requests generated by Internet Explorer with Fiddler, we see a pre-flight requests (OPTIONS) including an ORIGIN tag header. But, if the setting is enable, no more pre-flight and no more ORIGIN.

    I'm totally confused. I tested it on Windows 7 with Internet Explorer 10 and also on Windows 7 with Internet Explorer 11.

    Is there something we don't understand with "Internet Options"?

    Friday, August 2, 2013 5:35 PM


All replies

  • Hi,

    you will find the documentation for security zone templates here...


    I cannot comment as I currently have a disputed ticket with connect.Microsoft.com about another security setting.

    I would suggest that you post a private ticket (viewable by MS staff only) about your concerns to the IE Feedback portal


    You will find updated information about

    Cross-Origin Resource Sharing (CORS) for XMLHttpRequest in IE10/11




    • Marked as answer by Nielyr Monday, August 5, 2013 12:24 PM
    Sunday, August 4, 2013 4:15 AM
  • Thank you for your answer. I found a CORS example on Microsoft's sites from the link you gave me and I found similar results. The site always say that the upload was a success, but if you look in F12 tools, you see no pre-flight, no ORIGIN and a 500 internal error when uploading with the option enable.

    I will try to use connect.microsoft.com like you suggest.

    • Edited by Nielyr Monday, August 5, 2013 12:04 PM
    Monday, August 5, 2013 12:02 PM